The following are the several types of virii that exist today.
The most succ essfull virus to ever be created will probably be none of the following definiti ons and create new standards in order to propogate itself and stay hidden.

;## # Polymorphic Virii ###;

Polymorphic virii encrypt there own body. Self encryp tion usuallay hides the virus signature from the AV software. For polymorthic vi rii to spread the virus first decrypts itself ... the virus has to mometaraly ta ke control of the CPU in order to do this. After decrypting the body of the viru s, the decyrption routine gives control of the machine to the decrypted viral bo dy so the virus can spread.

A polymorphic virus is significatly harder fo AV software to detect, because they generate new dycryption routines on each infect ion which also changes the virus signature. Usually polymophic code changes its signature using a simple binary gerator called the mutation engine (MTE) .... Th e MTE uses a random number genorator and a simply alorythim to change the virus signature. With the MTE we can make any virus polymorphic by making a few simple changes to the assembley code to call MTE before copying itself.

;### Stealth Virii ###;

Stealth virii hide the modifications they make to your files or bo ot records, they hide this by monitoring the system functions of the OS used to read the files or sectors and by fourging calls to such functions. Therefore pro grams that try to read the files or sectors see the original uninfected version. This helps hide it from AV, another way a stealth virus does this is to sit in memory while you run the AV.

The first DOS virus, Brain, was a stealth virus . This boot sector virus monitors physical disc I/O operations and redirects the OS every time it tries to read an infected sector. In programming terms the vir us captures Interrupt 21H (int 21h) which is a system interupt that processes D OS services.

Stealth virii usually have either size stealth or read stealth p roperties. Size stealth virii are the file infectors, the virus attaches itself to an executable and then replicates .... which makes the file grow, so the viru s shows a copy of the uninfected size which is the first thing it looks at upon infection (after checking for itself). Read stealth virii are of the Brain verai ty as mentioned above.

;### Slow Virii ###;

Slow virii are hard to detect be cause they only infect files (*.com for example) that the OS is modifying or cop ying. A slow virus only infects a file when a user performs some operation on th e file. For example a slow virus might only infect the boot sector of a floppy w hen commands such as format and sys write to the boot sector. A slow virus might infect the copied version but not the original.

;### Retro Virii ###;

A reto virus is a virus that bypass, edit, or destroy AV programs by attcking it directly.

Making a retro virus is a pretty simple task .... as all the programmer has to do if find the execution path and edit or otherwise hinder the AV software, this could involve editing the AV itself or its definition files which could render the AV useless and the user totally oblivios to ANY virii that infect there system.

Other types of retro viri detect the AV and either hide from it, stop the AV, or in some cases trigger a distructive payload before the AV has chance to stop it.

;### Multipartite Virii ###;

Multipartite virii infect both executable files and boot sectors and sometimes floppy boot sectors too. They are called multipartite because they infect in multiple ways rather than specific disk locations or file type. When you run a file infected with a multipartite virus, it infects the boot sector and next time you boot your system the virus activates again and sits in memory ... it then infects every program you run.

;###Armoured Virii ###;

Armoured virii protect themselves by adding code that makes them very difficult to tace, understand and disassemble the code. They may protect themselves by wrapping code that deflects the onlooker from the actual operating code or it might add distraction code that makes you think the virus is somewhere other than it's true location.

;### Companion Virii ###;

Companion virii attach themselves to an execuatble file by creating a new file with a different extension ... hence there namesake, they make a companion file for each infected program. A companion virus might make notepad.com and then launch itself first then the original notepad.exe infecting the system.

Phage virii can also create companion files but it's not a defining or required feature.

;### Phage Virii ###;

The last of the true virii. Phage virii are pr ograms that modify programs or databases. Phage virii are the real bitch of the bunch as they are by far the most destructive by nature. They are not designed to attach
themselves to other code or to replicate .... they are designed to overwite every program they infect. A phage virii can spread by creating a companion virus of itself so when the program is attempted to be launched the virus runs again.

;###Macro Virii###;

Macro virii are written in a simple macro programming language, and more often than not nowadays using VBA (Visual Basic for Applications), these virii usually target Microsoft Office applications suck as Word and Excel.
About 3/4 of all virii found in the wild today are macro virii. A macro infected document may have several macros, such as AutoSave, Exit etc that replace there original counterparts with there own code but still opperate in the expected way. The macro will generally try to infect any template that exists such as world.dot so that if the macro is removed they may still regenerate. Macro virii have picked up on the trend of opening the WAB and sending a copy of themselves to all addresses in the address book, the most famous of these being WM97/Melissa.

;###Worms###;

Worms are not virii. They are self replicating pieces of code that by natures should contain no payload (although this is not *always* the case). The most famous worm of all time was the Robert Morris Jnr worm that exploited a buffer overflow in the UNIX Sendmail program. Due to which the speed of which worms create new instances of themselves if they stayed on a single host they would soon eat up all the rosources, so they spread from computer to computer, network to network (unlike a virus which needs some sort of human intervention in order to spread). Because they can move so fast they often cause havoc, not due to malicious nature, but due to overload of mailserver etc etc, the Morris worm nearly brought the whole internet to a standstill in its day. Most worms you will find written today are written in VBS (Visual Basic Script) and spread though Outlook. Recent high profile worms include LoveLetter and Life_Stages.

Definitions by Xp